create new tag
, view all tags

SID-02307: Want no auth check for editformfield updates

Status: Answered Answered TWiki version: 6.0.1 Perl version: 5.10.1 for x86_64-linux-thread-multi
Category: CategoryAuthentication Server OS: CentOs 6.x Last update: 1 year ago


Assume a custom plugin that provides this (all the happy twiki formatting broken by additional spacing so that I don't have to worry about something being interpreted smile ):

% FOO{bar="foo" baz="fnorb"} %

The result is a twiki table generated from a db lookup, based on the inputs for bar and baz.

Attached to the topic where the FOO is called, a topic with field names 'foo' and 'baz'. Now edit the FOO to

... Set BAR = % FORMFIELD { "bar" } %
... Set BAZ = % FORMFIELD { "baz" } %

% FOO{ bar="%BAR%" baz="%BAZ%" } %

I generate an edit form on the topic, using 'editformfield' techniques and action='save', so that a user need only change the values in the form, and hit the update button. When the topic reloads, the form data has changed, the Sets happen, then the FOO happens, and the table is updated based on the db lookup.

Maybe could be simplified (have not bothered figuring out the syntax to use FORMFIELD in the FOO{} construct), but for now, works like a charm.

For the auth/access control complication, however:

I want to allow users who are not logged in, to edit the form, to perform the update, to search the database, to load and display the new table... And I can't seem to get there.

... Set ALLOWTOPICSAVE = Main. AllUsersGroup

seems to be what I want, but the topic still wants me to log in before it will allow the action. I've got view, save and edit allowtopic settings, but it still requires authorization (as if it were Main dot AllAuthUsersGroup).

I don't want to change login from the current Template to None, but my understanding of that is, if I did, then all users would be then using TwikiGuest, and TwikiGuest would be included in AllUsersGroup.

So is this an Auth, or an Access Control question, and how can I allow someone who is not logged in, to use the form to update the field data (short of using a cgi tool outside of TWiki to edit a file outside of TWiki, that would then be sourced by the FOO plugin...)

Thank you for your time, rw

-- Richard Williamson - 2017-03-15

Discussion and Answer

It is possible to allow unidentified users to edit and save, but it comes at a price and I don't know of a solution to allow this for an individual web or topic, while keeping the traditional redirection to login for the rest of the topics. There is no need to drop the login manager: You can still keep Template login, and you can still restrict access for your topics to individual users or groups, but you need to do this explicitly or everyone can edit them as TWikiGuest. For example, the edit restriction of the TWiki web to the administration will still work.

To do this, you need to configure your TWiki, click the "Yes, I've read all the documentation" button (I'm sure you did), and clear the list of actions in the {AuthScripts} field. This skips the redirection to the login page completely, but does not disable access control: Either you have access, then you can edit (or attach, save, ...) the page under your current user (which is guest unless you log in), or you don't have, then you get an error page which tells you that you are not allowed to perform that action. You can log in from any page which is not an error message (assuming you use the default pattern skin) from the "Account" menu on the right of the screen.

-- Harald Jörg - 2017-03-15

The TWiki installation is behind a corporate firewall. It isn't used for "corporate" wiki, it's my internal note taking/project notes/CRM. Still I want to really require logins because it allows me to track if someone is editing my notes.

At the same time, a lot of what I do are "amusing little tools" that make the rest of the team's life easier. As I work in a technical sales related position, "the team" are a bunch of silly account managers, sales droids and mostly NTs. ("non-technicals"). The goal is to allow an NT to use the tools, without forcing them to struggle through creating a login. (from their point of view... creating a user login is a struggle...).

What I've done is made an internal User login with a default name/pw combo, and the topics that present the tools have a "Read Me First: If you get a demand to log in, use these credentials to log in: .../...". They then can run the tooling.

Next, I'll see if I can use the DENY semantics to deny that default user from changing other pages, while giving the ALLOW on the pages where the tools are. So far not yet, but I'm sure I'll figure it out.

And, I can always revert...

-- Richard Williamson - 2017-03-16

If you create a custom plugin you can circumvent the access control. There are TWikiFuncDotPm functions to ignore access control.

Look also into creating a custom "then-action" for the IfThenActionPlugin.

-- Peter Thoeny - 2017-03-19

Except the problem is not the custom plugin, the problem is the

(non syntactically correct)

EDITFORMFIELD{ "form" type="start" action="save" topic="BASETOPIC" }>
EDITFORMFIELD{ "form" type="submit" value="Update" }
EDITFORMFIELD{ "form" type="end" }

I want the 'action="save"' to disregard access control/auth checking. I'd like anyone, logged in or no, to be able to click the 'Update' button.

My interpretation of the infrastructure, whichever variant I choose, they all start with the "save" which is blocked because the use case is "not logged in".

I believe it should be possible to create a new script action, "naoksa" (non-authorized OK save anyway), that would validate the Web, Topic against a whitelist, bypass the authentication check (possibly by overriding the User in the session context?), and then run the save action. I'll investigate that.

-- Richard Williamson - 2017-03-20

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
Status Answered
Title Want no auth check for editformfield updates
SupportCategory CategoryAuthentication
TWiki version 6.0.1
Server OS CentOs 6.x
Web server Apache/2.2.15 (Unix)
Perl version 5.10.1 for x86_64-linux-thread-multi
Browser & version Firefox/Chrome tested
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2017-03-20 - RichardWilliamson
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.